Who Changed Conditional Access Policy
Query
//Reporting when a Conditional Access Policy is updated and who did it
AuditLogs
| where OperationName == "Update policy"
| extend Person = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| project PersonExplanation
This query is looking at the AuditLogs table to find instances where a Conditional Access Policy has been updated. It then extracts the user who initiated the update and displays their userPrincipalName.
Details

Rod Trent
Released: February 5, 2021
Tables
AuditLogs
Keywords
AuditLogsOperationNameUpdatePolicyInitiatedByPersonuserPrincipalName
Operators
where==extendtostringparse_jsonproject